Abstract. Very few known cryptographic primitives are based on noncommutative algebra. Each new scheme is of substantial interest, because noncommutative constructions are secure against many standard cryptographic attacks. On the other hand, cryptography does not provide security proofs that might allow the security of a cryptographic primitive to rely upon structural complexity assumptions. Thus, it is important to investigate weaker notions of security.In this paper, new constructions of cryptographic primitives based on group invariants are proposed, together with new ways to strengthen them for practical use. Also, the notion of a provable break is introduced, which is a weaker version of the regular cryptographic break. In this new version, an adversary should have a proof that he has correctly decyphered the message. It is proved that the cryptosystems based on matrix group invariants and a version of the Anshel-Anshel-Goldfeld key agreement protocol for modular groups are secure against provable break unless NP = RP. §1. Algebraic cryptography Public-key cryptography, since its very beginning [16,53], has been actively employing algebraic constructions. For example, the RSA protocol is based on number theory; the very construction of the protocol requires computing the Euler totient ϕ(n). Its security is based on factoring a number into prime divisors, or, more precisely, on the hardness of the so-called "RSA problem": find roots of a given degree modulo a number n = pq, where p and q are prime (this task may not be equivalent to factoring; see [14,54,15] for more information).However, the term algebraic cryptography is usually employed in a narrower meaning. Algebraic cryptography deals with constructions where encoding and decoding are both group homomorphisms. In [29], Grigoriev and Ponomarenko gave the following definition of a homomorphic cryptosystem (compare with Definition 2, where we introduce the general notion of a cryptosystem). Definition 1. Let H be a finite nonidentity group, G a finitely generated group, and f : G → H an epimorphism. Assume that R is a set of distinct representatives of the right cosets of ker(f ) in G, A is a set of words in some alphabet, and a mapping P : A → G satisfies Im(P ) = ker(f ). A triple S = (R, A, P ) is called a homomorphic cryptosystem over H with respect to f if the following conditions are satisfied:• random elements (of the sets A, G, H) can be generated, and the inverse of an element and the product of two elements (in the group G or H) can be computed2000 Mathematics Subject Classification. Primary 94A60, 68P25, 11T71.
